Overview

Why does this topic matter to organisations?

National Data Protection Authorities ("DPAs") are appointed to implement and enforce data protection law, and to offer guidance. As set out in Chapter 16, DPAs have significant enforcement powers, including the ability to issue substantial fines. Understanding the role and responsibilities of DPAs is vital to achieving compliance.

What types of organisations are most affected?

The nature of an organisation's business, and the sector in which it operates, makes no difference to the ability of DPAs to enforce the law against that organisation. DPAs have the power and authority to regulate all organisations and all forms of business activity, to the extent that personal data are processed.

What should organisations do to prepare?

The appropriate preparations depend on the nature of the organisation's business:

organisations that operate in multiple Member States will need to carefully consider their options in relation to establishment and the "One-Stop-Shop".

organisations that only operate in a single Member State (and only process personal data of residents of that Member State) are unlikely to notice significant differences in their interactions with DPAs.

Detailed analysis

Issue

The Directive

The GDPR

Impact

DPAs are responsible for enforcing data protection laws at a national level, and providing guidance on the interpretation of those laws.

Art.28

Each Member State is required to appoint one or more DPAs to implement the Directive and protect the rights and freedoms of individuals.

Rec.117; Art.51

Each Member State is required to appoint one or more DPAs to implement the Regulation and protect the rights and freedoms of individuals.

The primary roles and responsibilities of DPAs do not significantly change. Organisations can largely rely on their existing experience of interactions with DPAs.

Jurisdiction

Each DPA is appointed at a national level, through national legislation. Its jurisdiction and enforcement powers are largely restricted to the territory of its own Member State.

Art.28

Each DPA has oversight of processing activities taking place on the territory of its own Member State only.

Rec.124; Art.51, 55, 56

Each DPA can only exercise its powers on the territory of its own Member State but, under the "One-Stop-Shop" (see below), the DPA's regulatory actions may affect processing that occurs in other Member States.

Organisations that operate across multiple Member States will face a new set of challenges in their interactions with DPAs.

Organisations that operate only within a single Member State, and only process personal data of residents of that Member State, will be largely unaffected.

Independence

DPAs must be free from all outside influences, including government control.

Art.28(1)

Each DPA must act with complete independence in carrying out its functions.

Rec.117, 118 & 121; Art.52

Each DPA must act with complete independence in carrying out its functions.

The GDPR essentially replicates the requirements set out in the Directive, albeit in greater detail.

Establishment and appointment of DPAs

In order to ensure that DPAs apply and enforce EU data protection law in a fair, uniform and impartial manner, certain minimum requirements must be met in terms of their establishment and appointment.

Art.28

Each DPA must:

have the skills and experience necessary to perform the role; and

be subject to a duty of professional secrecy.

Rec.121; Art.53-54

Each DPA must:

be created through a transparent procedure;

have the skills and experience necessary to perform the role; and

be subject to a duty of professional secrecy.

The changes in the GDPR are unlikely to impact organisations acting in a business context.

The "One-Stop-Shop"

The concept of a "One-Stop-Shop" is found in other areas of regulatory enforcement (e.g., trading standards). The aim of the One-Stop-Shop is to provide a single, uniform decision-making process in circumstances in which multiple regulators have responsibility for regulating the same activity performed by the same organisation in different Member States.

The WP29 has issued Guidelines on Lead DPAs (WP 244) (the "Lead DPA Guidelines") which provide further clarity on how to determine which DPA is the lead DPA for a given controller.

N/A

The Directive does not provide a One-Stop-Shop mechanism. As a result, it is not uncommon for a single organisation to be subject to inconsistent decisions from DPAs across multiple Member States.

Rec. 124-128; Art.55-56; WP29 Lead DPA Guidelines

Identifying a lead DPA is only relevant where a controller or processor established in the EU is carrying out cross-border processing of personal data (as defined in Article 4(23) of the GDPR). If a controller has establishments in multiple Member States, the DPA for its "main establishment" (i.e., the place where its main processing decisions are taken) will be its lead DPA. The lead DPA has the power to regulate that controller across all Member States (to the extent its data processing activities involve cross-border data processing).

Forum-shopping is not permitted and organisations should be able to demonstrate the basis for claiming a main establishment, taking into account the following factors:

where decisions about processing are made;

where the power to implement those decisions lies;

where the decision-makers with responsibility for the processing are located;

where the relevant entity has its corporate registrations.

In theory, the "One-Stop-Shop" will mean greater harmonisation, and the more uniform application of EU data protection law, as an organisation will generally deal with a single lead DPA.

Whilst the Lead DPA Guidelines encourage informal cooperation between lead and concerned DPAs to reach a mutually acceptable course of action, in practice, it remains to be seen whether DPAs will abide by the requirements of the "One-Stop-Shop" and refrain from attempting to regulate organisations that are subject to another DPA's jurisdiction.

Tasks of DPAs

DPAs are required to perform certain tasks, including monitoring and enforcement of EU data protection law.

Art.28(4)

The tasks of DPAs include obligations to:

monitor and enforce the application of the Directive (as implemented under the laws of the relevant Member State); and

hear claims brought by data subjects or their representatives, and inform data subjects of the outcome of such claims.

Rec.122, 123; Art.55, 57

The tasks of DPAs include obligations to:

monitor and enforce the application of the GDPR;

promote awareness of the risks, rules, safeguards and rights pertaining to personal data (especially in relation to children);

advise national and governmental institutions on the application of the GDPR;

hear claims brought by data subjects or their representatives, and inform data subjects of the outcome of such claims;

establish requirements for Impact Assessments;

encourage the creation of Codes of Conduct and review certifications (see Chapter 12);

The tasks of DPAs are significantly more broadly defined in the GDPR than in the Directive. However, in the overwhelming majority of cases, these changes will make little practical difference to organisations acting in a business context.

Powers of DPAs

DPAs have the power to enforce data protection laws at a national level.

Art.28(3)

Each DPA has oversight of processing activities taking place on the territory of its own Member State only.

Rec.129; Art.58

DPAs are empowered to oversee enforcement of the GDPR, investigate breaches of the GDPR and bring legal proceedings where necessary.

The legal powers of DPAs are largely unchanged. At a practical level, it is likely that there will continue to be some variation between the practical enforcement powers available to DPAs, due to variations in the national laws of Member States.

Activity reports

In order to ensure fairness and transparency, DPAs are required to draw up and publish regular reports explaining their activities.

Art.28(5)

Each DPA must, at regular intervals, draw up a report on its activities. The report must be made available to the public.

Art.59

Each DPA must draw up an annual report on its activities. The report must be made available to the public.

The GDPR essentially replicates the requirements set out in the Directive.

EU-level DPA coordination

In principle, DPAs meet together to agree on important issues and offer guidance on the correct interpretation of EU data protection law. Although this guidance is not legally binding, it is often indicative of the enforcement position that individual DPAs will take.

Art.29

The WP29 is made up of representatives of DPAs from each Member State. Its primary function is to provide advice on the interpretation and application of EU data protection law.

Art.51(3), 68-76

The EDPB is made up of representatives of DPAs from each Member State. It provides advice, but also takes an active role in enforcing EU data protection law. Where more than one DPA is appointed in a Member State (e.g., in Germany each Bundesland has a DPA) the Member State appoints a single representative to the EDPB.

In effect, the EDPB replaces the WP29 and assumes the WP29's functions. However, the extent to which the EDPB will play an active role in enforcement proceedings remains uncertain.

DPA cooperation

In order for EU data protection law to operate consistently across all Member States, it is important for DPAs to cooperate with one another (see Chapter 15).

Art.29

DPAs are required to cooperate to the extent necessary to implement and enforce EU data protection law.

Rec.133, 134; Art.61-62

DPAs are required to cooperate and provide each other with mutual assistance. They also have formal legal authority to carry out joint operations.

In cases in which organisations are under investigation in multiple Member States, these changes should make the investigation process easier to manage.

In most other cases, these changes have no practical impact on organisations.

Consistency Mechanism

One of the most significant difficulties organisations face in dealing with DPAs is the inconsistent nature of decisions taken at the national level.

N/A

The Directive offers no formal mechanism for ensuring that DPAs reach decisions that are consistent. As a result, DPAs take different positions on the same issue, from time to time.

Rec. 135-138; Art.4(23), 56, 63-67

Where an organisation engages in cross-border data processing (i.e., processing that affects data subjects in multiple Member States), a DPA that wishes to take action must consult with the other affected DPAs to ensure consistency in the application of the GDPR.

For any organisation that operates in multiple Member States, the Consistency Mechanism is a positive development, as it should result in a more uniform application of EU data protection law to the processing operations of that organisation.

Further analysis

Commentary: The role and function of DPAs

DPAs are responsible for enforcing EU data protection law. They (together with the WP29/EDPB) also provide guidance on the interpretation of that law. While such guidance is not legally binding, it is strongly indicative of the enforcement position that DPAs are likely to take.

DPAs are appointed by each Member State. Some Member States (e.g., Germany) appoint multiple DPAs in a federal structure. Others (e.g., Denmark) appoint separate public bodies with responsibility for enforcing different aspects of data protection law.

Most organisations tend not to deal directly with a DPA unless a complaint has been made regarding that organisation, or a serious breach of the law has occurred. When dealing with DPAs, it is important for an organisation to ensure that it has legal advisors who are both experienced in the field and familiar with the operations of DPAs.

Commentary: The Consistency Mechanism

Where a DPA takes a decision that only affects the processing of personal data on the territory of its own Member State (e.g., where an organisation only operates within that Member State) the Consistency Mechanism does not apply. However, where a DPA takes a decision affecting processing across multiple Member States, that decision must be notified to the EDPB, which must then produce an opinion on the decision within 8 weeks (extended to 14 weeks in complex cases). (In exceptional circumstances, a DPA can take emergency measures lasting up to three months without going through the Consistency Mechanism).

In principle, the Consistency Mechanism will ensure that organisations will face consistent compliance requirements across the Member States in which they do business. However, in practice there is a risk that the EDPB will face large numbers of requests from Concerned DPAs in a very short space of time, and this may lead to inconsistent application of the relevant principles. In addition, organisations and data subjects have no direct voice in the Consistency Mechanism, which may lead to difficulties in ensuring transparency in the process.

Example: Qualifying for the One-Stop-Shop

Q. Organisation A would like to qualify for the One-Stop-Shop (because it would like to simplify its EU data protection compliance obligations by dealing with a single DPA, as far as possible). Organisation A is headquartered in New York, and has EU operations in the UK, France, Germany and Spain. Most of its data processing operations take place on a "cloud" platform, rather than at individual locations. How can Organisation A qualify for the One-Stop-Shop?

A. In order to qualify for the One‑Stop-Shop, Organisation A will need to have a "place of main establishment" in the EU (i.e., a headquarters for its operations in the EU, or a location at which it takes decisions regarding processing activities in the EU). If Organisation A does not have a place of main establishment in the EU, it will not qualify for the One-Stop-Shop, and will instead continue to deal with the DPA of each Member State in which it operates.